Quietly, the Feds recently set the stage for a massive expansion of enforcement of privacy rules under the Health Insurance Portability and Accountability Act (HIPAA).
The message: If business associates have potential access to any private health information, they should be prepared for the Feds to take enforcement action against them only for any breaches of privacy. In a new memo, the U.S. Office for Civil Rights (OCR) underlines the word “only”.
Translation: The Feds’ authority to go after a business associate under HIPAA is nothing new, but, in practice, business associates typically came under scrutiny as an offshoot of an inquiry into a healthcare provider or insurer. Now the Feds are signaling a shift in emphasizing a focus on direct liability of a business associate.
“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.
As a providers, it’s important to make sure your business associates are protecting the privacy of your clients — and that they understand the extent of their responsibility.